forked from nix-community/robotnix
-
Notifications
You must be signed in to change notification settings - Fork 0
/
generate_keys.sh
executable file
·38 lines (33 loc) · 1.3 KB
/
generate_keys.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p openssl signify python3 jre_minimal
set -eo pipefail
set -x
DEVICE=bluejay
CN=groot
if [ ! -e keys/$DEVICE/avb_pkmd.bin ] ; then
mkdir -p keys/$DEVICE
cd keys/$DEVICE
CN=GrapheneOS
# The trap handler in make_key calls "exit 1" on normal EXIT. Hmpf.
set +e
bash ../../files/make_key releasekey "/CN=$CN/"
bash ../../files/make_key platform "/CN=$CN/"
bash ../../files/make_key shared "/CN=$CN/"
bash ../../files/make_key media "/CN=$CN/"
bash ../../files/make_key networkstack "/CN=$CN/"
bash ../../files/make_key sdk_sandbox "/CN=$CN/"
bash ../../files/make_key bluetooth "/CN=$CN/"
set -e
openssl genrsa 4096 | openssl pkcs8 -topk8 -scrypt -out avb.pem
python3 ../../files/avbtool.py extract_public_key --key avb.pem --output avb_pkmd.bin
cd ../..
fi
if [ ! -e keys/$DEVICE/factory.pub ] ; then
signify -G -n -p keys/$DEVICE/factory.pub -s keys/$DEVICE/factory.sec
fi
if [ ! -e keys/apps/vanadium.keystore ] ; then
mkdir -p keys/apps
keytool -genkey -v -keystore keys/apps/vanadium.keystore -storetype pkcs12 -alias vanadium \
-keyalg RSA -keysize 4096 -sigalg SHA512withRSA -validity 10000 -dname "cn=$CN"
keytool -export-cert -alias vanadium -keystore vanadium.keystore | sha256sum >keys/apps/vanadium.trichrome_certdigest.txt
fi